Firewall rules are managed by Linux iptables/ip6tables.
By default, the firewall is configured to accept the traffic from the following flows in IPv4 and IPv6 :
There is no specific rule regarding outgoing traffic and all protocols are authorized.
In the next section, we provide some common commands to customize these rules. For more details, please refer to the online documentation.
Default rules are included for ipv4 and ipv6 respectively in the /etc/iptables/iptables.d/ and /etc/iptables/ip6tables.d/ directories. The content of the default ".rules" file is formatted as the dump format output by the iptables-save command.
To modify firewall rules, you have two options:
/etc/iptables/iptables.d/ directory.To apply new rules:
systemctl restart iptables.iptables -L for IPv4 rules and ip6tables -L for IPv6 rules.In the following example, we open the http-alt port for the Chirpstack application:
touch /etc/iptables/iptables.d/chirpstack.rulesvi /etc/iptables/iptables.d/chirpstack.rulestouch /etc/iptables/iptables.d/chirpstack.rules
vi /etc/iptables/iptables.d/chirpstack.rules
# Edit the file with:
*filter
-A INPUT -p tcp --dport http-alt -j ACCEPT
COMMIT
Alternatively, you can use jetp to open a port. The following playbook can be used as an example:
- name: Allow http-alt connection
groups:
- all
tasks:
- !external
use: copycontent
name: "Open firewall for chirpstack"
params:
dest: "/etc/iptables/iptables.d/chirpstack.rules"
content: |
*filter
-A INPUT -p tcp --dport http-alt -j ACCEPT
COMMIT
- !sd_service
name: Reload firewall
service: iptables
restart: true
This action is not recommended unless you are an advanced user and are fully aware of the impacts on your system security.
If you want to accept all streams as input, you may disable all firewall rules with :
iptables -P INPUT ACCEPT; iptables -F